I just finish web based audit using Acunetik. From the result, I found that a lot of vulnerable service affected that particular server. Before I finish the report, I have to prove them that this website is really vulnerable. We just plan to put a text file inside their server to prove that somebody else who has malicious intention is able to have write access into their server.
From all these vulnerabilities, which one is the easiest to penetrate? Now I’m still in process to learn how to do cross site scripting and others exploit for web based application. When I search in link below, there is no specific / details how to do it. They only describe it generally.

1. PHP version vulnerable
Severity High
Affects PHP
DetailsCurrent version is PHP/4.0.6
TypeConfiguration
Description
This alert has been generated using only banner information. It may be a false positive.

Multiple vulnerabilities have been reported in PHP, which can be exploited to gain escalated privileges, bypass certain security restrictions, gain knowledge of sensitive information, or compromise a vulnerable system.

Affected PHP versions (up to 4.3.9/5.0.2).
ImpactPossible local and remote execution of arbitrary code. Check references for more information.
RecommendationUpgrade PHP to the latest version.
Reported by moduleVersion check
References
Hardened-PHP Advisoryhttp://www.hardened-php.net/advisories/012004.txt
Secunia Advisoryhttp://secunia.com/advisories/13481/
PHP 4.3.10 Release Announcementhttp://www.php.net/release_4_3_10.php
PHP Homepagehttp://www.php.net
Request
Response

2. Apache version vulnerable
Severity High
Affects Web Server
DetailsNo details are available.
TypeValidation
DescriptionThis version of Apache is vulnerable to HTML injection (including malicious Javascript code) through "Expect" header. Until not it was not classed as security vulnerability as an attacker has no way to influence the Expect header a victim will send to a target site. However, according to Amit Klein's paper: "Forging HTTP request headers with Flash" there is a working cross site scripting (XSS) attack against Apache 1.3.34, 2.0.57 and 2.2.1 (as long as the client browser is IE or Firefox, and it supports Flash 6/7+).

Affected Apache versions (up to 1.3.34/2.0.57/2.2.1).
ImpactMalicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user.
RecommendationUpgrade to the latest Apache versions. This flaw has been corrected in Apache versions (1.3.35/2.0.58/2.2.2)
Reported by moduleCGI Tester
References
Unfiltered Header Injection in Apache 1.3.34/2.0.57/2.2.1http://www.securityfocus.com/archive/1/433280
Forging HTTP request headers with Flashhttp://www.securityfocus.com/archive/1/441014/30/0/threaded
Apache homepagehttp://httpd.apache.org/
Request
GET / HTTP/1.0 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) Host: xxx Connection: Close Expect: <script>alert(1467229341)</script> Pragma: no-cache
Response
HTTP/1.1 417 Expectation Failed Date: Thu, 16 Aug 2007 05:04:06 GMT Server: Apache/1.3.22 (Unix) (Red-Hat/Linux) mod_jk mod_ssl/2.8.5 OpenSSL/0.9.6 DAV/1.0.2 PHP/4.0.6 mod_perl/1.24_01 Connection: close Content-Type: text/html; charset=iso-8859-1

3. PHP version vulnerable
Severity High
Affects PHP
DetailsCurrent version is PHP/4.0.6
TypeConfiguration
Description
This alert has been generated using only banner information. It may be a false positive.

Stefan Esser reported some vulnerabilities in PHP, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system.The vulnerabilities are caused due to boundary errors within the "htmlentities()" and "htmlspecialchars()" functions. If a PHP application uses these functions to process user-supplied input, this can be exploited to cause a heap-based buffer overflow by passing specially crafted data to the affected application. Successful exploitation may allow execution of arbitrary code, but requires that the UTF-8 character set is selected. For a detailed explanation of the vulnerability read the referenced article.
Vendor has released PHP 5.2.0 which fixes this issue.

Affected PHP versions (up to 4.4.4/5.1.6).
ImpactDenial of service, remote code execution.
RecommendationUpgrade PHP to the latest version.
Reported by moduleVersion check
References
PHP HTML Entity Encoder Heap Overflow Vulnerabilityhttp://www.hardened-php.net/advisory_132006.138.html
PHP Homepagehttp://www.php.net
Request
Response

4. PHP version vulnerable
Severity High
Affects PHP
DetailsCurrent version is PHP/4.0.6
TypeConfiguration
Description
This alert has been generated using only banner information. It may be a false positive.

Stefan Esser had discovered a weakness within the depths of the implementation of hashtables in the Zend Engine. This vulnerability affects a large number of PHP applications. It creates large new holes in many popular PHP applications. Additonally many old holes that were disclosed in the past were only fixed by using the unset() statement. Many of these holes are still open if the already existing exploits are changed by adding the correct numerical keys to survive the unset(). For a detailed explanation of the vulnerability read the referenced article.

Affected PHP versions (up to 4.4.2/5.1.3).
ImpactPossible code execution, SQL injection, ...
RecommendationUpgrade PHP to the latest version.
Reported by moduleVersion check
References
Zend_Hash_Del_Key_Or_Index Vulnerabilityhttp://www.hardened-php.net/hphp/zend_hash_del_key_or_index_vulnerability.html
PHP Homepagehttp://www.php.net
Request
Response

5. PHP version vulnerable
Severity High
Affects PHP
DetailsCurrent version is PHP/4.0.6
TypeConfiguration
Description
This alert has been generated using only banner information. It may be a false positive.

Multiple vulnerabilities have been reported in PHP, which can be exploited by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions, and potentially compromise a vulnerable system.

Affected PHP versions (up to 4.4.0).
ImpactSecurity bypass, cross site scripting, denial of service, system access.
Check references for more information.
RecommendationUpgrade PHP to the latest version.
Reported by moduleVersion check
References
PHP 4.4.1. Release Announcementhttp://www.php.net/release_4_4_1.php
CAN-2005-2491http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491
PHP Homepagehttp://www.php.net
Secunia advisoryhttp://secunia.com/advisories/17371/
Request
Response

thanks in advance...